[openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error

Mon Feb 2 02:18:10 UTC 2015

Hello Openssl users,

Am facing an issue of "no shared cipher" error during SSL Handshake, when
tried to negotiate ECDHE cipher suite.

We are using openssl-1.0.1j version.  Can you please share your thoughts?

Following are the logs during SSL Handshake.

Server has 2 from 0xE29690E0:
0x10B42900:ECDHE-ECDSA-AES256-SHA
0x10B428D0:ECDHE-ECDSA-AES128-SHA
Client sent 2 from 0xE442F5B0:
0x10B42900:ECDHE-ECDSA-AES256-SHA
0x10B428D0:ECDHE-ECDSA-AES128-SHA
rt=0 rte=0 dht=1 ecdht=1 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000040:00000089:00000005]0x10B42900:ECDHE-ECDSA-AES256-SHA
rt=0 rte=0 dht=1 ecdht=1 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000040:00000089:00000005]0x10B428D0:ECDHE-ECDSA-AES128-SHA

*Feb  2 01:00:46.884: SSL_accept:before/accept initialization
*Feb  2 01:00:46.884: SSL_accept:would block on read in SSLv3 read client
hello B

*Feb  2 01:00:47.892: <<< TLS 1.2 Handshake [length 0092], ClientHello
*Feb  2 01:00:47.892:     01 00 00 8E 03 03 C3 CB 15 58 20 B9 49 1D 73 C7
*Feb  2 01:00:47.892:     F8 C1 4D 31 10 A1 B6 D9 62 9E DF 91 A8 DC 8F 79
*Feb  2 01:00:47.892:     95 79 20 55 AC CF 00 00 06 C0 0A C0 09 00 FF 01
*Feb  2 01:00:47.893:     00 00 5F 00 0B 00 04 03 00 01 02 00 0A 00 34 00
*Feb  2 01:00:47.893:     32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00
*Feb  2 01:00:47.893:     0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00
*Feb  2 01:00:47.893:     04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00
*Feb  2 01:00:47.893:     10 00 11 00 0D 00 16 00 14 06 01 06 03 05 01 05
*Feb  2 01:00:47.893:     03 04 01 04 03 03 01 03 03 02 01 02 03 00 0F 00
*Feb  2 01:00:47.893:     01 01
*Feb  2 01:00:47.893: TLS client extension "EC point formats" (id=11), len=4

*Feb  2 01:00:47.893:     03 00 01 02
*Feb  2 01:00:47.893: TLS client extension "elliptic curves" (id=10), len=52

*Feb  2 01:00:47.893:     00 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09
*Feb  2 01:00:47.893:     00 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15
*Feb  2 01:00:47.893:     00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F
*Feb  2 01:00:47.893:     00 10 00 11
*Feb  2 01:00:47.893: TLS client extension "signature algorithms" (id=13),
len=22

*Feb  2 01:00:47.893:     00 14 06 01 06 03 05 01 05 03 04 01 04 03 03 01
*Feb  2 01:00:47.893:     03 03 02 01 02 03
*Feb  2 01:00:47.893: TLS client extension "heartbeat" (id=15), len=1

*Feb  2 01:00:47.893:     01

*Feb  2 01:00:47.894: >>> TLS 1.2 Alert [length 0002], fatal
handshake_failure
*Feb  2 01:00:47.894:     02 28
*Feb  2 01:00:47.894:
Router#
*Feb  2 01:00:47.894: SSL3 alert write:fatal:handshake failure
*Feb  2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C
*Feb  2 01:00:47.894: 3854049196:error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher  s3_srvr.c:1381:

Have updated with temporary ECDH callback during SSL Server initialization.

ECDSA certificate is being signed using openssl commands.

Am not seeing any issue with RSA baesd ciphers. But only with ECDSA based
ciphers having problem on my setup.

Can you please share will the certificate loading is something different
than RSA?

Thanks,
Rajeswari.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150202/c1d6050b/attachment-0001.html>